curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. This vulernability has been identified (CVE-2011-3389) and is addressed by OpenSSL already as they have made a work-around to mitigate the problem. When doing so, they figured out that some servers didn't work with the work-around and offered a way to disable it. The bit used to disable the workaround was then added to the generic SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask. While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it does in this case effectively enable this security vulnerability again. There is no known exploit for this problem. Reproducible: Always
*** This bug has been marked as a duplicate of bug 400799 ***